Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

he is a sysadmin that refused to disclose passwords to an office which had the prudence to disclose ALL of those LIVE passwords and usernames as evidence in a public court... exposing personal information of millions of citizens in public databases...

i doubt that randomly selected array of 20-30 americans would be able to understand how insanely stupid this is.

It is my understanding his employment was specific in that he would only disclose the password to the mayor alone. This never happened, thus he never disclosed the password. This case did not require any technical knowledge to grasp the facts, so I am unsure how the jury could come to this result.

The lesson here is to do whatever your boss says, even if it is incredibly stupid and will make your job entirely unmanageable...

Well, I would have to agree that my 'inner security geek', would have had to swallow really hard a few time before stating production passwords over a teleconference with unknown people. Hell, I would expect to be fired just for doing that.

Damned if you do, damned if you don't. Sometime you just have to suck it up and go look for another job. The sad part is that Terry was probably just a conscientous civil servant, and the boss was a know-nothing political appointee. Terry had probably seen more than a few of these appointed ass-hats come and go, and figured this was just another little tempest that would blow over.

As stupid as it is, its the law. He has an obligation to follow the law, not a moral technical compass. If there is a problem with the law then it needs to be changed not broken. You are your technical vigilantes need to be stopped from taking technology into your own hands.

How exactly was he breaking the law? As I understand it, the whole issue wasn't that he tampered with anything. Instead, he refused to disclose the passwords when the person requesting them did not follow proper protocols.

Yes. Security rightly assumes that the weakest link of any computer/information protection is the humans. He followed their policy about how to deal with people trying to get access, no matter where or how powerful those people were.

A low UID does not make you smart I see. He committed a crime 25 years earlier. I went to prison when I was 17, and am now 41. Time changes folks, and not just prison time. You are a very narrow minded and prejudiced SOB if you are going to hold stuff against people 25 years after they did the crime.

Sound like this could have some bad repercussions for IT folks. Of course all I know about the situation is what has been posted on Slashdot. There could be, and usually is, more to the story. Now that the trial is over with will the court records be posted somewhere?

That's an excellent question. Throughout this entire case I've felt like I was only getting one side of the story. For example, I haven't seen any quotes from the prosecutor. Prosecuting someone for failing to disclose a password is absurd. There has got to be something else going on.

I think the lesson to be learned here is to demand legal statements from people that absolve you of responsibility for their stupidity. "You want these passwords? First give me something I can bring to court, so that when you screw up, you cannot try to blame me." The courts have shown that these are the sorts of measures we must take -- not to try to prevent the damage from being done, but to prevent the idiots who cause problems from passing the responsibility off to us.

He was given the option to hand over the passwords and walk away or face jail time. He could have handed everything over (even though it violated a contract) and it would all be forgotten. Through some misguided sense of morals or utter stupidity he chose to let it go to trial.

Don't kid yourselves for one second, juries are stacked with wishy washy room temp IQ dullards who are easily swayed on emotional opinions. Do you think this jury had any clue what a password file or network topology was? He was portrayed as a rogue agent against the goody two shoes city and they fell for it.

Actually, you're missing experiencing the whole trial from the jury box. All we've been given here on/. is soundbites of the trial. We don't know all the evidence presented by the prosecution. We don't know all the evidence provided by the defense. All we know are little bits of info given to us by biased sources. Unless one sat in on the whole trial, slandering the jury is inappropriate.

Look. I know IT doesn't have a union. And I wouldn't want one as a programmer and sysadmin based one everything I've ever seen about a union. But this is the time to speak out through actions.

Any IT professional of any competence, and with any amount of self respect needs to refuse to do business with ANYONE who services the city of SF--directly or indirectly. I will be, and will indicate as much explicitly to anyone acting for or on behalf of the city--directly or indirectly that until a full pardon and compensation is paid to Childs, and the relevant individuals are removed from office for corruption, I will not provide any professional services.

If the relevant DA or mayor retires or resigns without reprimand and appropriate court sanctions, I will *never* provide such services.

Yes, I know many people say Childs acted unprofessionally--that's not the point. By refusing to provide the passwords, it would have been arguably justifiable to fire him. He was arrested for refusing to provide passwords after he was already fired--not his problem any more. Had they arrested him before firing him there *might* have been an argument.

I refuse to work for any organization that supports this. And I hope that the members of/. refuse to as well, unless or until the city releases far more compelling evidence of destructive intent than has come to light thus far.

Of course, it's easier for me to say as I'm two states east...but I've a client or two out there.

I wonder how the guys who took over Terry's job feel now. I'd be looking for alternative employment at this point -> like maybe a ditch digger or something that just might not get you pooched by the judicial system.

that being said....dunno...this sets a bad precedence for sysadmins/IT ppl....as this basically be also interpreted as "if you secure your network from novices who may break the network, you might be guilty of a crime"

If your boss demands the password, give it to them. Send them a letter along with the passwords saying that you are doing it under protest if you want, warn them of the dangers, whatever, but don't be idiotic. So they screw up and the network goes down, big deal, it's a freaking network not the entirety of modern civilization. Some sysadmins have waaay too high an opinion of the importance of their computer systems.

It was very probably being a jerk that got him convicted - people are much more likely to convict the headstrong than the guilty. I don't know if he really was guilty of anything, I've not really examined the evidence, but it's a well-documented psychological flaw of individuals that looks and personalities have a far far greater bearing on who is convicted than the actual evidence itself. There is no fix for this bug that is not worse than the bug itself.

Even if he were guilty, his real "crime" would be being a little too uptight, perhaps being an a-hole a little too often, and maybe being a little obnoxious. Note that these are only true if he actually is guilty of something. I fail to see how a purely punitive system is going to be useful in correcting these issues, which are not uncommon amongst those with Geek Syndrome (aka Asperger's). In the same way drunk drivers are sometimes ordered to attend AA meetings, the most suitable punishment (again IF he is guilty) would be to require him to attend an Asperger's group and/or get checked-out by a pdoc for some sort of treatment regimen. (Asperger's is not, technically, treatable but CAN aggravate other problems that are.) This would be cheaper than prison, by a LONG way, be far more likely to be effective, AND would be more likely to increase his value to society (whereas prison rots skills and therefore decreases value).

This guy was in the employ of the city government, which necessarily acts differently than a corp, which makes your analogy false. His direct bosses don't make the rules, the elected officials do. The difference is crucial. Furthermore, his following the rules was not to the detriment of the city.

There's a simple lesson here: don't put policy over what the police tell you to do. Yes, the police may be wrong (and probably are), but that's not your problem. Remember, the police and the government here in America are utterly corrupt, and fighting against that is futile; it's like trying to fight against corruption in the Mexican government (our governments are just as corrupt as each other; the only difference is that Mexican citizens have no illusions about their government and police being anything but corrupt, unlike Americans).

Another simple lesson here: don't work in IT for a city or state government. There's plenty of private-sector jobs out there that pay at least as much, and the worst that can happen to you is you get fired, rather than going to pound-me-in-the-ass prison for 5 years.

Of course you are. NDAs can last 5+ years, classified information remains classified for 50+ years, and networking between bosses on the golf course lasts forever. These are utterly unavoidable, which is why I believe corporations and governments should have obligations at least as stringent. It has to be symmetrical, or a damn good approximation. (Which is why I believe unions - if implemented and run correctly and fairly - are also essential. "Employment at will" does not exist in reality. What exists is employment at the employer's whim. You can check out any time you like, but you can never leave - until the boss says so. Irritate the wrong boss, and you'll never work in that town, city, State or Country again, because that's how networking works at the upper levels. This makes it impossible to switch jobs, save by your boss' consent. The system is feudal and peons have no say in feudal systems. Peons will get walked over, and there is nothing they can do to stop it, no matter what "employment at will" rights they think they have.)

Unfortunately that may be how the conversation actually went, but without the joke. I would like to think that in a situation like that most people would say something like: "I want to help, I really do, but if I may please explain, there is a policy..."

However real people under real stress can behave in less than rational ways. And, sadly, in the real world even a small single negative action can result in an avalanche of unpleasant reactions.

It is unfortunate that so many people attempt to dodge jury duty instead of doing their duty and giving other citizens the fair trial to which they are entitled. I wish more saw it as an opportunity to better our society instead of a burden to be avoided.

Slandering the jury is totally appropriate. It's part of the system. They made a bad call. They made a ridiculously bad call. They made a howlingly, ridiculously bad call. Morons, one and all.

Part of the loveliness of living in this country is that I now get to stand up and sing out like Monty Python that twelve mouth-breathing baboons -- no offense to the ACTUAL baboons in their red-butted glory, mind you -- twelve pin-headed boot-licking idiots just sent a man to prison for poor social skills.

And it is entirely appropriate that the denizens of this board call them on it.

There is just no way around it, no matter how big a douche your employer is, or how wrong or unfair you think it is, or how big a mistake they are making... withholding your employers' passwords will land you in jail.

Some may work up some emotion over this, but I don't think this will really be a surprise to many people.

Here's a hint; when you end up in a room with the cops and a lot of your management, fine, ask for your lawyer, but don't plan on using that same management's written policy against them. They are management - they wrote the policy. They're telling you their new policy. Verbally. In no uncertain terms. With the cops present.

You cannot lock your customers out of their equipment. This is not a legal theory our society will ever adopt, nor should it. Imagine if the courts agreed that IT staff has discretion to withhold their customers' own passwords. "They weren't smart enough to have it." "They asked for it the wrong way." "They once had a written policy that I shouldn't tell them."

OK, so no one can ever fire you. When can't you come up with an excuse to lock the equipment and walk off? Imagine if the courts blessed it! You could pull that burn off and coast, untouchable. Yeah, that philosophy really has legs.

You: "Give me the password."Your employee: "No."You: "You're violating my policy - I need the password."Your employee: "I disagree. I have my own interpretation of your policy."You: "You're fired."Your former employee: "Great, now I definitely won't give you the password."You: "Obviously I'm not paying you to refuse to do what I'm asking. But you still have my passwords."Your former employee: "Fine, but since you're not paying me, I'm not your slave. You can't force me to perform."

Hear that sound? It's the eyes of every slave who ever lived rolling back in their heads.

Think about it. Childs could, if he truly was motivated by fear of violating a policy, have called his lawyer into the room, to say: "no problem, we'll give you the passwords, we just need you to release us from liability for disclosing those passwords, one pager, sign here..." He didn't, because this was about ego, not policy. He just didn't want to have to cave and do what they said. He's not the first - many an outsized ego has landed its owner in prison.

What does his past miconduct, his being a Jerk, or having bad things at home have to do with his treatment of the city network? I don't see the connection. Only being a jerk, in fact... and if he was following the letter of the laws and policies (which discussion here seems to indicate), that should have been OK.

The take-away from this seems to be, if a superior is bullying you for passwords or other information you're contractually obliged to not give them, don't just tell them "No". Rather, tell them, "(Company|City|State|DOD) policy XYZ prevents me from doing this over the phone. I need to either do it in writing, or get a written statement from Q, P, or W that doing so will violate neither my contract nor any applicable laws." This makes it clear you DO want to help them, but with constraints.

We are not talking about passwords to his email, his domain account, his laptop,etc. We are talking about THE password (there is only ONE) to Cisco IOS routers and switches.
It is the equivalent of root passwords that don't belong to any single person.

That being said, I still think his prosecution is essentially the city behaving like a 5 year old child. The city's CTO should be sacked ASAP for such a huge failure of management: no documentation, no back ups of running configs, no cross-training among personnel so there wouldn't be a single person responsible, etc.etc. No large company runs like that.

Funny thing: illegal aliens breaking into houses HAVE sued the homeowners for such things as falling on a knife and injuring their legs. Kids screwing around on the roofs of schools have sued the school district when they, illegally trespassing, nevertheless fell through a skylight and injured themselves.

In other words, the law is fucked up, and the fact that you can manage to empanel a jury of 12 retards who don't understand the law & policy, scare them with "wooh this was scary internets stuff", and then have a paid-off judge give the jury bad instructions doesn't help.

On a related note. we have got to stop letting prosecutors put people in jail for life or on death row for purely circumstantial cases (i.e. no dna, no witnesses, no single scrap of viable evidence whatsoever.) The number of people who've been put on death row, who have been found innocent is suggesting the entire system is horribly broken, and that in fact greater than 10% of those found guilty of capital crimes are innocent.

I agree completely. I'm all for a harsh punishment when there's plenty of real evidence that the person is guilty, like on CSI. But if the prosecution can't come up with anything more than flimsy circumstantial evidence, then forget it.

I know CSI is just a TV show, but why can't real life be more like that, where they actually find real physical evidence to convict people? I'm guessing the answer is probably 1) the stupid meat-head cops frequently contaminate the crime scene, rendering all evidence suspect or inadmissible, 2) the local governments don't bother to fund crime labs very well, and 3) because of poor funding, very few smart people ever bother to go into a career of being a crime scene investigator, and it takes a smart and clever person to put the clues and evidence together to solve the crime.

Eventually instead of doing mayor stuff, all of the mayor's time would be tied up with having to deal with all sorts of insignificant chickenshit stuff because some self-important flunky wanted attention from the big boss man in order to feel important instead of sticking with the chain of command.

He should have just given up the passwords. They weren't his computer systems. He was just an employee. I don't care what anyone here says. Let's say you have a work truck that your employer provides. You are to take the keys in the morning and leave them back when you leave. Do you just go home with the keys in your pocket? I mean none of this makes any sense to me. If he wasn't accessing the network anymore, why would he need the passwords? It certainly didn't benefit him to withhold them. I think he was just blindly obsessed, stupid, or an ignorant prick. The punishment is harsh, and really doesn't fit the crime, but by holding the passwords hostage he had essentially owned the network which certainly caused a lot of headaches for his previous employers. In any organization that large it is utterly foolish to leave all of the keys in one person's hands. What if they die? Go batshit crazy? We are not just talking about a couple of rackmounts in a closet here. Wasn't it a city wide network or something? That was tax payer funded? He may have felt that nobody was capable of running "his" network, but since he was no longer employed there, it really wasn't his place to be concerned with their future. I don't know if what he did warrants a felony charge, but it was certainly unjust. Maybe he felt that he owed his previous employers nothing, but when they haul your ass into court you might as well at least give them what they want, and they certainly didn't ask for much. Its never a good idea to plot against your keepers. Don't bite the hand that feeds you. At least in America you can always leave and fall back to aggravated robbery. We see how well that plan worked out for him in the past.

Terry Childs is a moron if you ask me, and his foolish stubbornness will now tragically cost him some time away from pursuing a happy life. He chose to make himself look like the bad guy, even though his justification was for "good" reasons. I understand that giving the passwords away in a court of law would probably be a bad idea, but it should have never have gotten to that point. He should have certainly just met up with his boss and divulged all that he knew. That's common courtesy. Even if you don't like your employer, they still gave you a job and a paycheck. Sure you can leave, but its always best to do so on good terms. In the end its always wiser to be the better man and just walk away with a clean slate. If Terry Childs would have done that, he'd be a free man who could choose his own destiny and probably even find a halfway decent job. Now he's just another convict with multiple felonies that will have a hard time finding a job when he walks free.

Worse than that, you're being technically unreasonable while acting under the guise of being socially reasonable. I realize people consider IT socially inept--but you can't have your cake and eat it too here. And I'm someone that advocates *ignoring* policy when it's not reasonable. The problem with most policies is they aren't flexible--you have to ignore them to get things done, which causes lack of respect for the policy and recurses from there. But the SF policy was well written in a lot of ways--it provided a means for overriding it that was available to management, which they ignored until it outright did damage to their system.

Yes, you can't use policy to cite refusal to change policy justifiably. But you can and shouldn't deviate it just because someone asks you to--even if they're your boss. Especially--if your boss is not the person responsible for change of said policy. I only report to one person period in my present position--but in previous jobs, my boss wrote many policies--but *not* for example...the password policy. If they asked me to change it or override it, I could have (and should have) been fired if I listened to the request. In this case, it's not clear that his supervisor reasonably could have been interpreted as having the authority to edit that. Childs named the conditions--which were readily available to the city--and the city refused to attempt them.

Secondly--passwords do not belong to your employer, they belong to you. It's his employers access and his employers system. It's a quibble--but it's incredibly relevant. In your example, it is NOT your password. It is your access.

As a professional, you *should* understand the difference. You own the computer--not the identity, authentication, or authorization. You should not confuse the three, as this just encourages further misunderstandings.

I've got at least 150 passwords to remember. I use a password safe, but a few are dual purposed. I'm not handing my schema out to anyone. If someone needs access--I will be happy to reset the password for them, for any reason--provided I may do so from a secure, well connected terminal. If for some reason the system in question does not permit multiple administrative accounts--If they fire me--they're SOL unless they want to sign a 4 hour contract which will grant me authorization to deliver the access mechanisms for the system. There *are* other ways to restore access, which should be used if that is not acceptable.

This is NOT egocentric--this is basic self protection--and the only responsible thing to do professionally while functioning realistically. SHORT of generating a unique password for every single system, keeping them in a password safe, and turning over only that password. Unfortunately--that technical need often severely interferes with your primary job--getting things done as a sysadmin--I consider it unrealistic. Unfortunately most systems I need passwords for *won't* let me use a private key to authenticate. Or would you claim I should turn that over to employers too? Maybe I should give them the passphrase to my ssh keychain while I'm at it since that would be easier than having to physically plug RS232 into the router and thus demonstrating physical control of the hardware and access to the cabinet key?

Refusing to turn over a password protects not only accountability, but yourself, and the would-be recipient of the password. Had Childs turned over the password, he almost certainly would be *worse* off, as it likely would have resulted in damages to the system. And the people in charge would not have known the difference between whether he caused them, or they did.

My job is to run systems--not accept liability for the incompetence of my replacement, or management. My password is the second part of my access token in many--the other part being a username. On a well engineered system it will be a keyfob or private key validation.

Is to perhaps not be knee jerk about what "the right thing," is. Don't presume you know better than everyone, don't presume you are the one with whom the buck should stop and so on. You need to be able to look at the bigger picture. While you might think "the right thing," is for you and only you to have access to the systems because you feel you are the only one smart enough to handle it properly, well consider two things:

1) What happens if you are rendered unavailable? You could die, become incapacitated, whatever. What happens then if you are the only one who has the keys to get in? All of a sudden "the right thing" turned in to a rather large disaster.

2) Consider that maybe you aren't as smart as you think you are, or perhaps that everyone else isn't as dumb as you think they are. Perhaps your boss is perfectly capable of having the password as a backup and not using it to cause any trouble. You might not think he's smart enough, but maybe you aren't evaluating the situation fairly.

Also just remember that you job in IT is customer service, even if you never deal with customers. Your job is to help make computers do what people want them to. They are tools to reach some goal, and you are someone who helps that happen. Part of that means doing what your customers (which are usually your coworkers) want. That doesn't mean giving them everything, but it does mean not being a stone wall that just refuses to do something. Work with people, try to persuade rather than intimidate and so on.

Finally, when it comes down to it, they aren't your systems, they are the organization's systems and if they want to fuck it up, that's their thing. Argue against it, document your objections, but if that's what they want, let them do it. It isn't your place to stop it.

Remember, the police and the government here in America are utterly corrupt, and fighting against that is futile

You know, staying stuff like this is an insult to people who live in / come from places where the government and police *are* truly corrupt. I once worked with a guy from Brazil who was happy when he went through a police roadcheck because it reminded him he wasn't in Brazil. In Brazil he would have had to have paid a bribe to the police, been detained hours, or risked being pulled from his car and beaten. Here it was a few questions and 'have a nice night, sir' - And he was an olive-skinned guy driving a new Nissan. In the USA if the police knock on your door and ask to come in you can tell them to go away - And they have to. In many parts of the world they'll kick your door in without asking, trash your house, and rape your daughter for good measure.

I know absolutely nothing about the San Francisco network. But I find it interesting that Childs said, "These idiots can't be trusted with the passwords," and the second the idiots got the passwords, they published them for the world to see.

Sure enough, those idiots should not have been trusted with the passwords. Hard to fault a guy when they immediately proved him right.:-)

By the way, since this is a municipal system, here are some of the functions I've seen municipal systems handle:

1. 911 calls over VoIP.2. Fire dispatch, as in "Building on fire here"3. Police dispatch, as in "Crazy guy with gun over here."4. Police data, as in "The license plate you just pulled over is driven by a violent felon."5. Videoconferencing that connects lawyers to their clients6. Utility billing/disconnect, as in "These people need their water/power/garbage cut off."

I could go on and on.

Wanna see your basic "evil hacker" movie play out in real life? You couldn't take over the world, but you could make some people miserable. Maybe even get a few of them killed when help doesn't arrive when it should...

Not all computer networks are about making sure Sally in accounting gets her email.

I think the problem people have, is that the court should never have been involved at all. Okay... so he's insubordinate and fired. No problem.

AFTER he's fired, they go to him and STILL want him to do part of his job (disclose the passwords). Tough cookies. The deal in employment is "payment received for services rendered". Once he's fired, he is not receiving payment from the city. So he's under no obligation whatsoever to render services.

You can make a case that he was insubordinate and deserved to be fired. But once he *was* fired, he was entirely in the right to tell the city to FOAD. And the court should have told the city to FOAD as well.

Imagine you were the CEO of Microsoft or Dell. Would your share holders think it was a good idea if you had to address every problem personally? Hell no, that's what management and other abstract layers are for. I'm sure the citizens feel the same way about the Mayors time too.

It's a valuble lesson; intelligent people are no more immune to self-deception. They might even be better at it.

Very true. Richard Feynman noticed this when he saw several otherwise intelligent people be tricked by Uri Geller and his spoon bending and various other tricks. "I'm smart enough to know that I'm dumb" is one of my favorite quotes.

In this case, I don't think it's self deception though. The guy is a nob, control freak, should have just given over the passwords, and should have been canned. That doesn't mean it's a crime though. The city essentially went insane with the crazy charges brought against him (3 of which were thrown out). The idea that not telling someone a password for 12 days is a felony and deserving of 2-5 years in jail is just completely ridiculous.

The fact that the city also controls prosecutors, this was a major national news story, and the DAs office is generally elected only served to escalate this case. If the city had backed down after they realized he hadn't hacked anything, they'd have lost face.

(Oh, and I thought Reiser was guilty as sin as soon as the evidence against him came out, so I really don't give a shit if someone is a geek or not)

Rather than investigate what you've just claimed, I'm going to ask if it makes any kind of sense to have a restrictive policy on disclosing one's user level password, and expect that you'll just turn over a system level password to an unknown number of unknown people.

Of course he shouldn't have had sole administrative access to the network; however, it seems likely that the fastest typist among the authorized, well intentioned people hearing this information would be far outpaced by the hypothetical fastest typist among any hypothetical bad guys.

Assuming youre assertion is correct, it is evidence that the people he worked for were even more incompetent to handle the network than he feared. That doesn't put him on the right side of the law, but it does make his position sound a lot more sane.

This would be cheaper than prison, by a LONG way, be far more likely to be effective, AND would be more likely to increase his value to society (whereas prison rots skills and therefore decreases value).

Besides, taking someone with technical skills who, by the sound of it, has strong ethics and unfairly convicting him of a felony computer crime isn't particularly smart. When he gets out, he's not going to have much respect left for government, and as an ex-con probably won't be able to get legitimate work in his chosen field. Great way to turn an otherwise honest guy into a white-collar criminal.

This is a post written by someone who has clearly never actually been to a country with corrupt police, and having been to a few my self I was quite happy to get back to Western Europe/N.A. where people don't realize just how lucky they are that bribery is something we talk about on TV not the only way to accomplish anything.

This has nothing to do with "ego" and everything to do with professionalism.

Sometimes doing the right thing means not "being nice" or being "expedient". This is the whole point of having professionals. They are supposed to stand by their professional judgement and not let stupid things happen just because ignorant people are whining at them.

Far too many professionals in general "pander" to the ignorant these days. It drags down every profession it infests.

I was speaking metaphorically. I meant criminal. And, in my opinion, it's a gross miscarriage of justice to make someone pay for their own prosecution. It's basically punishing them for not pleading guilty and trying to defend themselves. That would have the effect of causing a lot of innocent people to plead guilty.

Of course, plea bargaining already does that, and in my opinion is a strong argument against plea bargaining. They all come from the mindset that a conviction is better than justice.

The prosecutor said, "If I can show he did not stop after the officer indicated he should stop, will you convict him of fleeing arrest."

After just a couple questions by the jury it became very clear that the person in question may have driven a short distance, probably did not speed away, and may have not been aware the officer was trying to pull him over.

But, i'm sure the folks they selected on the panel would take the position, "Well-- its the LAW, he was told to stop and took 1000' instead of 100' to pull over so we convict him of a felony!"

For all the people who rail against the police, on the jury panel's i've been on, a lot of folks seem really ready to do what the prosecutor says and screw the hell out of their fellow human beings.

Jury nullification is the only way to go. just never admit that you believe in it. Just say, "I'm not convinced" if you think the law is unjust.

I can't believe they convicted him of a felony for this. I hope each of them is convicted of a similarly stupid law so they get justice. (and their are plenty of stupid laws on the books and increasingly facist ones).

Thanks for responding. It appears from your wording you were on the jury. Is that true?

You say

essentially this juror went into deliberations, had already made up his mind, informed the rest of the jurors that he had thought about the matter on his own and made up his mind, and didn't want to hear anything more about it.

And yet you claim

He was not released for "having his own opinion" or being "a lone holdout".

It sounds to me from what you've written here that having his own opinion is exactly why he was removed.

This juror may not have explained his opinion to your (and perhaps other jurors') satisfaction - but unless I'm mistaken jurors are charged to render their verdict, not to satisfy the other jurors.

This person may have indeed had all the social graces of a rock, or it may have been the case they were being coerced by the mob behavior of the rest of the jury. I don't know, I certainly wasn't there. Important points may be in the full details you chose not to give. And we only have your experience of it - we don't have theirs.

It sounds like, if you were in fact on the jury, you were taking your responsibilities very seriously. But from what you've said this jury incident sounds a lot like the entire event in microcosm: someone with no social skills stands up for their principles in the face of public pressure to do the expedient thing, and is punished for it.

I appreciate you taking the time to respond. It was really very helpful and illuminating. Thank you again.

Jury nullification consists precisely in ignoring
that particular instruction: that you should only apply
the law and not judge the law itself. Duh.
This notwithstanding, if you say you agreed with the law,
and thought it had broken it, well, then, obviously you
did the right (moral) thing and have a lot more info on
the case than random slashdotters. Well done.

Right. I saw it happening a lot here after Hans Reiser killed his wife. It was pretty damn obvious he did it, but he sure had a lot of otherwise intelligent slashdotters refusing to face facts.

To be exact, you saw a lot of people hoping he didn't really do it without precluding the possibility that he did, after Hans Reiser was accused of killing his wife. Fortunately, in the United States, we have a legal concept summarized "innocent until proven guilty", hence why many Slashdotters believed it was possible that he was innocent before he was convicted. Furthermore, when the case was first publicized, there wasn't that much evidence against him - it was only later that enough facts of the case were made public that it seemed likely that he was guilty.

On the other hand, the Terry Childs case is different - while in the Reiser case the disagreement was about what really happened, in the Childs case the disagreement is about whether or not what happened was legal.

If my understanding of the case is correct, he refused to disclose a password to some people who were not his supervisors (but maybe could qualify as "former supervisors"). I see nothing wrong with this legally, since the state's security policy specified that he was not allowed to disclose the password to his superiors (and security policies trump immediate supervisors), and because they were no longer his supervisors in the first place because they had fired him. I also see nothing wrong with this morally, because disclosing the passwords could have compromised the security of the system (after all, that's why it's forbidden by the security policy in the first place).

Now, it's possible that I have misunderstood the facts of the case (I mean, either I or the jury have, and it's a fair assumption that the jury is better informed than I, a random Slashdotter), but I've seen a few previous Slashdot stories on Terry Childs, and I haven't seen any comment refuting this particular viewpoint.

Funny thing: illegal aliens breaking into houses HAVE sued the homeowners for such things as falling on a knife and injuring their legs. Kids screwing around on the roofs of schools have sued the school district when they, illegally trespassing, nevertheless fell through a skylight and injured themselves.

In other words, the law is fucked up, and the fact that you can manage to empanel a jury of 12 retards who don't understand the law & policy, scare them with "wooh this was scary internets stuff", and then have a paid-off judge give the jury bad instructions doesn't help.

I see you got that chain email too.

Care to show us these cases? I've started googling and have only come up with sites debunking it.

I know they're so easy to believe since the [skewed] McDonald's hot coffee case, but let's try and be skeptical when we hear about any ridiculous lawsuits.

You think he was acting professionally and following policy? Look, I'm aware that his defense spread some story about the rules. You haven't read them, but I have. Here's from their rulebook:

"In accordance with these strategies the following policy statements apply to the key areas and functions of the Security Perimeter. In all statements where the “County Authority” (CA) is mentioned, depending on the County reporting structure, this can be the CIO, CISO, CTO, CEO or COO and implies the CA or their designee(s)."

"If someone demands a password, refer him or her to this document or have him or her call someone in Information Security."

Obviously he hated having to do what his boss told him enough to go to prison. But something tells me that if we go through the records of all the people who asked him for the passwords (and by the end it was certainly more than just his boss), we would find that among them were at least one person "in Information Security," or who was "CIO, CISO, CTO, CEO or COO and implies the CA or their designee(s)." [emphasis added]

You can see for yourself his actions don't match policy. He was just crazy enough to think he could still use password-blackmail to torch his boss to the mayor - from jail.

And that's even without looking at the detailed information that emerged from the trial:

"This jury was not made up of incompetent people.... I myself am a network engineer with a CCIE and thirteen years experience.... No matter what you think... you do not have... even 10% of... the full story. I am confident that we reached the correct verdict....One of the most difficult questions for us to answer... [was] who is an "authorized user"?... We did ultimately determine... beyond any reasonable doubt... his boss' boss was an authorized user."

More here [slashdot.org] - this juror is a/. user and these are from his posts.

This was not a verdict that we came to lightly. There were very difficult points to overcome in reaching it. We were not allowed to let our emotions or biases determine the matter, because if they could there may have been a different outcome. Quite simply, we followed the law.

This is like that psych experiment where a test subject is given a buzzer and a set of questions. A lab assistant plays the role of another test subject behind a screen. The buzzer is supposed to deliver a shock for every wrong question. It doesn't, of course, but the lab assistant acts like it does. With each wrong question he screams louder, wimpers, begs to stop the experiment. The official-looking SCIENTIST in his WHITE LAB COAT reassures the skeptical test subject that the experiment should continue. Some subjects will walk about but others will keep administering shocks for unanswered questions even after the man behind the screen is no longer making any noises. Unconscious? Dead? Doesn't matter. The man in the white coat told me what to do. He has AUTHORITY.

If the case never should have come to trial, find him not guilty. The charges are obviously bullshit. Where is it written that conscience and compassion have no place in our courts? Ok, mandatory sentencing says we have to leave our brains at the door but fuck that.

So let's assume that he violated policy in refusing to give the password to his boss's boss or create accounts for people. How does this amount to a criminal offense?

If he violates policy, then fire him. But it's the fault of his boss to let him be the only person with access to the system for this long. They should have had other qualified people working with him to help maintain what is described as such an important system. I'm confused about when this goes from being a personnel matter to a criminal matter. Is this just because he was a government employee, or does this extend to the private section? The implications of this become very scary.

While jury service is commendable, you sir should be ashamed of what you've done. This guy was put in a no-win situation, one which YOU YOURSELF could someday face. To equate what he did with felony computer tampering puts us all one bad situation away from being felons, damned if we do and damned if we don't. Juries are there to ask the tough questions, to make sure laws squash people who don't deserve it. One quote from the article describes Mr Childs as "egotistical and paranoid". Well, you'd better lock a lot of us up then, because when you hold heightened responsibility and are tasked with guarding that system, that's what you're actions are going to look like.

You state you "felt terrible" about the verdict. If that's true, then you made the wrong decision. And you've made life more dangerous for all network and systems professionals.

Jury Nullification [wikipedia.org]
Logic brought you to the conclusion that Mr. Childs was guilty based on the laws and definitions provided to you. However, you didn't like the verdict. Was jury nullification thought of?

This case should have never come to be. Management in the city's IT organization was terrible. There were no adopted security policies or procedures in place. This was a situation that management allowed to develop until it came to this unfortunate point. They did everything wrong that they possibly could have to create this situation. However, the city was not on trial, but Terry Childs was. And when we went into that jury room, we had very explicit instructions on what laws we were to apply and what definitions we were to follow in applying those laws.

Another poster already mentioned Jury Nullification; how can you, as a human being, convict another human being after saying you believe all of that?

And of course, the city can't be put on trial for it's portion in this, can it? Nobody from the city is going to go to jail (and the city itself won't be legally "incarcerated") no matter how wrong it was. But because of your strict interpretation of the law, and some "common sense" interpretation about who an authorized user was (even though it wasn't legally specified), he has to go to jail and have his life ruined.

"We were not swayed at all by emotional opinion, because if we were we probably would have acquitted because we all agreed that the situation Terry Childs was put in was not called for. However, the facts in the case bore out the verdict we reached.

Quite simply, we followed the law. I personally, and many of the other juror, felt terrible coming to this verdict."

You just did what you were told to do. When one of your fellow jurors refused to go along, he or she was replaced.

"Ordinary people, simply doing their jobs, and without any particular hostility on their part, can become agents in a terrible destructive process. Moreover, even when the destructive effects of their work become patently clear, and they are asked to carry out actions incompatible with fundamental standards of morality, relatively few people have the resources needed to resist authority." - Milgram

You've punished a man for something you don't think was wrong. May those who judge you be of greater morality.

As an American, I am profoundly depressed by this thread. I respect the juror who is posting his perspective here, and greatly appreciate the fact he's taking the time to explain what happened from an insider's perspective. But his account reveals a terrible devolution of our system of justice: the ordinary citizens on a jury no longer protect us against an inappropriate or unfair application of the law.

It makes me furious every time I hear a juror come out of the jury room and say "I don't think he really did anything bad, but according to the judge's instructions, I had no choice but to convict." No, you had a choice. The brilliantly cynical and untrusting rebels who wrote the Constitution put you there to make the choice. Not an unfeeling robotic choice, not a judge-directed decision, but an independent decision that truly reflects the informed judgment of a "jury of peers."

The jury has become, not an independent check against the juggernaut of government prosecution, but a mere puppet of the system. In such a legal system, any one of us can be sent to jail for life on the government's whim, because there's not one of us who doesn't -- knowingly or unknowingly -- violate several laws daily; we count on juries to say, when appropriate, "ok, maybe he technically violated the law, but this prosecution is unreasonable, and we're not going along with it."

Our system was designed to make it really, really hard to convict. And really easy to acquit. If the prosecutor doesn't like the case, he can toss it out. If the judge doesn't like the case, he can toss it out. Heck, if the judge doesn't like the jury's "guilty" verdict, he can toss it out (but he can't set aside a "not guilty" verdict). Why has the jury come to believe they can't exercise at least the same power as the prosecutors and the judge routinely do: the power to toss out a case that just ain't right?

We specifically spent hours on the question of intent and making sure we were beyond a reasonable doubt. As to the removal of the other juror, there's way more to that story than any paper knows, and I don't want to go much into it, but he was definitely dismissed "for cause", not because he was some type of lone holdout or something like that.

The law we used was CA Penal Code 502. We did not make up any laws or definitions in reaching our decision. Just take a look at the number of posts and opinions here which fall in both directions. Do you think they have more facts about the case available to them, who may have read some articles and blogs about it? Or do you think I may have more information upon which to base my opinion, after listening to five months of testimony, reading hundreds of emails, many sent by Mr. Childs himself, showing his state of mind and intent? There's way more to the story here than simply a good tech guy all of a sudden being requested to turn over some passwords.

About 5sec after the city let him have sole control of the network. The city is to blame as much as Childs. Where's the city's disaster recovery plan? They clearly don't have one or they'd never have any system with exactly one authorized user. He gave up his password(s) to the mayor -- the only person to whom he thought appropriate (misguided as that may be.) It should've ended right there.

There are tons of political BS going on behind the scenes here that we will never know. Why didn't he give his password(s) to his former boss? Because he hated his boss; the entire reason he set everything up the way he did was to keep all is "moron" coworkers from messing things up. Yet, those same "morons" have been managing the network just fine since Mayor Newsom returned with the password(s), and there hasn't been any giant meltdowns. The city wants to paint him in as bad a light as possible to deflect blame from themselves; they aren't innocent in this mess either.

"We had a lot of sympathy for him," said juror Jason Chilton, who is a network engineer. "He was put in a position he should not have been put in.

Then they should have nullified the law - that's why we have juries. Juries have two jobs: one is to judge the crime, the other is to judge the law. Last time I sat on Jury Duty they showed an industrial training video that said pretty much the opposite. Only because I've read the US Supreme Court decisions specifically on the topic did I know better. I told the judge that I could not follow his orders if they ran contrary to natural rights and was dismissed. Others think it's better to lie and get on the jury and they have some points.

Yes, I was on the jury (see my post further on down). An essential part of jury deliberations is keeping an open mind, explaining your thoughts and opinions, and listening to the opinions of others. This was not the case here. I really won't go into the details on the matter as to not reveal personal information or background on the juror, but not only did he not do those items above, he also refused to follow the jury instructions and the legal definitions as provided by the judge that we had to use in our determination of the facts.

While you are allowed to look at testimony differently and debate that, you can't decide that a legal definition as provided by the judge is something you don't agree with and therefore won't follow. Essentially, you're supposed to follow the facts and then come to a conclusion. The problem here was that one person had a conclusion beforehand, and wanted to change the facts to fit it. It just doesn't work that way.

Bet you one of the conditions of Childs' "release" is a prohibition on using computers for the next 5 years.

You did what you thought right, and interpreted the judge's jury instructions as carrying the same weight as black-letter law. But they don't, and as others have pointed out the catch-all term "jury nullification" can be the right thing to do when the law is an ass, or when the prosecution has wildly overreached. Hopefully this'll be overturned on appeal, and I really would like Childs' managers and the key prosecutor's names to become as well-known as Childs. There was (and still is) plenty of blame to go around.

As others have pointed out, if the employer did not have a police force and court system handy, this never would have become a criminal matter.

Definitely not an attorney. I just went and read the actual statute. This is slashdot, we rarely ever even bother to read the article. Thank you for your responses on this.

I have to say, it's amazing how many issues one run-on sentence in a legal statute. Personally, I still think that you collectively made the wrong call on this. Not as a matter of compassion or as a matter of balancing the scales against some clear injustices on the other side as many have suggested. Two things bother me. The definitions of authorized users and of denial in the context of this law.

You've addressed the authorized user question fairly extensively, but I still don't agree. You determined that Childs at one time believed his boss' boss to be an authorized user, but I think it's still reasonable for him to cease believing that his boss is an authorized user. At least to such a degree that there's reasonable doubt that he knowingly denied access to an authorized user. As others have said, if it took that long to work it out, how could Childs really have been sure. Especially given his apparent belief that incompetence was sufficient to disqualify a user from being authorized.

The issue of denial is the real biggie for me. I read that law and see the section that boils down to denial of computer services. In my mind, I have a very clear idea of what a denial of service attack is in the context of computer services and it's active, not passive. I keep thinking about what the situation would have been if he'd just quit and moved to Wyoming, etc. The law seems to be for attackers, not people who just cease to be helpful.

Here's a thought experiment from another post: Bob is a network administrator. Bob sets the password for the network but doesn't write it down directly. Instead, he just writes down a reminder. Bob gets hit by a bus, and the only thing everyone has to go on is a scrap of paper that says "the private nickname I had for my first girlfriend". So, they track down his first girlfriend and ask her what the password is. For her own reasons, she refuses to tell them, even after they prove to her that they are authorized users. So, based on this law, she is knowingly and without permission disrupting or causing the disruption of computer services or denying or causing the denial of computer services to an authorized user of a computer, computer system, or computer network. Using the definition of that law that was used to convict Childs, she would be just as guilty as Childs has been found. The only thing in the law that she might be able to argue is the permission bit, but clearly she doesn't have permission from anyone to deny them access to their network (as senseless as that is in this context, it's a hundred percent true), so she's a felon. The fact that she's not an employee of the owner of the network doesn't seem to protect her under this law. Employees get a little extra protection than her, in fact.

I just don't know anymore. It seems like more and more things are becoming life-destroying crimes that would have once been handled in-house or as civil matters or just not been crimes. Violation of computer use policies. Children looking at each other naked. Letting the kids have an unsupervised party. All manner of copyright violations. Being rude to flight attendants. So on and so forth. I may just be suffering from curmudgeons disease, but it seems like we're getting less and less free in just about every way. This case especially rubs me the wrong way because it hits so close to home.

I too really wish the case had been dismissed, but I think the city let this story get too large and didn't want to lose face by dropping all the charges. However, as a juror I cannot allow myself to make decisions based on why I think the city did what it did or whether I think that was right or wrong.

I'm sorry, but this is where you failed in your role as a juror. The whole point of a trial by jury is that you, the juror, is the last line of defense against injustice in all its various forms. You are supposed to use not only your intelligence, but also your common sense and personal sense of morality to render a truly just verdict.

The jury is a speed bump, a safety device, to prevent runaway application of the "just the facts" letter-of-the-law approach, and put the human element back into the justice machine. That's how the system was designed.

In your comments, you state that you wish the case had been dismissed, that the city was really crucifying Childs just so they could save face, etc. Obviously, you felt that finding Childs guilty was not just -- but you found him guilty anyway. I'm sorry, but if you truly felt what you state in your comments, then you failed miserably as a juror in this case.